5cc02b9bc4
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
(cherry picked from commit 9692e59abb
2024-04-11 11:18:08 +00:00
e311ca538b
[Rule Tuning] Windows BBR Rule Tuning - 1 ( #3579 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 1
* Update non-ecs-schema.json
* Update rules_building_block/command_and_control_certutil_network_connection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/collection_common_compressed_archived_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_dll_hijack.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d0dfa479bb
2024-04-08 13:45:38 +00:00
724790e74a
[Rule Tuning] Windows BBR Rule Tuning - 3 ( #3581 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 3
* Update non-ecs-schema.json
* Update rules_building_block/execution_settingcontent_ms_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_startup_folder_lnk.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c5addae009
2024-04-08 12:54:51 +00:00
740f139cbd
[Rule Tuning] Windows BBR Rule Tuning - 2 ( #3580 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Removed changes from:
- rules_building_block/discovery_posh_generic.toml
(selectively cherry picked from commit 1bc59bdc04
2024-04-08 12:41:34 +00:00
535175c33d
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition ( #3576 )
...
* [Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Update rules_building_block/discovery_security_software_wmic.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Endgame tag
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 109e8a85a5
2024-04-08 12:04:40 +00:00
b4743f52de
[Rule Tuning] WRITEDAC Access on Active Directory Object ( #3583 )
...
(cherry picked from commit e125a4e4cf
2024-04-08 11:50:28 +00:00
591ce49694
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit aa0cc42ff6
2024-04-08 10:57:07 +00:00
940a776dd0
updated to v14.0 mitre ATT&CK ( #3289 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
(cherry picked from commit 0cb42983c1
2024-04-05 18:37:30 +00:00
6e8d5f31b8
Bump KQL lib Version ( #3575 )
...
(cherry picked from commit e6f48ade01
2024-04-05 17:46:07 +00:00
354acf7f5a
Update default ( #3574 )
...
(cherry picked from commit fbb6df506e
2024-04-05 00:34:29 +00:00
c6df1d085f
[Bug] KQL fails validation on uppercase keywords ( #3568 )
...
* add todo
* Add a normalize_kql_keywords function to utils
* update rule loader to normalize and warn
* optimized loading
* fix linting
* Moved conversion to kql module.
* Updated unit test
* Refactor KQL parser to normalize keywords via flag
* Fix logic typo
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update lib/kql/kql/__init__.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated to fix unit tests and remove warnings
* linting typo
* Added comments
* remove unused imports
* Update kql.parse default
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1566c29bae
2024-04-04 22:10:16 +00:00
07204987f2
[Bug] New Terms Rule Import Failing ( #3569 )
...
* initial patch
* Update definitions to allow for brackets in name
* Update to prompt for required fields.
* Update detection_rules/cli_utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit fa75876322
2024-04-04 21:44:19 +00:00
d3458a0b7f
[Bug] Add explicit format preserver ( #3566 )
...
(cherry picked from commit c35652c8c8
2024-04-04 20:57:40 +00:00
5066f9203c
[Bug] Threshold Rule Importing Failures ( #3560 )
...
* remove threshold specific req
* fix test event override
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a9cc323d09
2024-04-03 18:22:42 +00:00
2812118000
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 153657029b
2024-04-03 09:35:17 +00:00
502deb1978
Deprecate Releasing to a patch kibana version workflow ( #3552 )
...
(cherry picked from commit 3fbffa24ed
2024-04-03 03:11:19 +00:00
d515a539d4
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3567 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 8d5bd3b0f6
2024-04-02 18:36:59 +00:00
7438c38b29
Fix minstack version for O365 prod rules ( #3565 )
...
(cherry picked from commit 0e2eb5a84c
2024-04-02 16:12:24 +00:00
a3ba0fcda3
[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution ( #3545 )
...
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4ab7c9b178
2024-04-02 14:13:37 +00:00
010e564256
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 69173872da
2024-04-02 13:48:50 +00:00
ece5175894
[New Rule] Suspicious Access to LDAP Attributes ( #2504 )
...
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit f025616cbd
2024-04-02 13:04:54 +00:00
36c6968d71
[Rule Tuning] Potential Application Shimming via Sdbinst ( #3553 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c781376188
2024-04-02 09:42:16 +00:00
d00325f432
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f2490007e8
2024-04-02 04:22:04 +00:00
4eac68bb07
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit b47b91b9ec
2024-04-01 23:52:07 +00:00
9cba1e96e6
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml
(selectively cherry picked from commit 67ca13c1ce
2024-04-01 20:52:24 +00:00
390cb8e2d1
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 400a84628e
2024-04-01 19:09:37 +00:00
aef30b595d
[FR] Add support for investigation_fields ( #3550 )
...
(cherry picked from commit bb907a4d76
2024-04-01 16:59:11 +00:00
a2fd651db3
Fix create PR in release workflow ( #3528 )
...
(cherry picked from commit 8b215eac41
2024-04-01 15:54:13 +00:00
92c5b6ad1b
[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory ( #3477 )
...
* deprecating
* adjusted matury tag; updated dates
(cherry picked from commit d4bf04256d
2024-04-01 15:08:08 +00:00
5ab2090060
[FR] Add required-fields option to import-rules ( #3546 )
...
(cherry picked from commit b6a7e7ebda
2024-03-28 23:36:29 +00:00
24d4cdaf5d
[New Rules] Potential PowerShell Pass-the-Hash/Relay Script ( #3543 )
...
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script
* Update credential_access_posh_relay_tools.toml
* Update execution_posh_hacktool_functions.toml
* Update credential_access_posh_relay_tools.toml
* Update credential_access_posh_relay_tools.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 218c3bead6
2024-03-28 10:15:17 +00:00
f217aed00d
[New Rule] Creation of a DNS-Named Record ( #3539 )
...
* [New Rule] Creation of a DNS-Named Record
* Update credential_access_dnsnode_creation.toml
* Update rules/windows/credential_access_dnsnode_creation.toml
(cherry picked from commit 954a93c3b4
2024-03-27 21:27:49 +00:00
fff1170ffc
[New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation ( #3535 )
...
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation
* Update credential_access_adidns_wildcard.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 67e9ebf8e1
2024-03-27 13:14:33 +00:00
09b2ff76a9
[New] Suspicious Execution via ScreenConnect ( #3541 )
...
* [New] Suspicious Execution via ScreenConnect
- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)
* Update command_and_control_screenconnect_childproc.toml
* Update rules/windows/initial_access_webshell_screenconnect_server.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_screenconnect_childproc.toml
* Update command_and_control_screenconnect_childproc.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit d7aff43621
2024-03-27 12:01:14 +00:00
28b6e2c042
fix typo in lateral_movement_remote_services.toml ( #3538 )
...
(cherry picked from commit 138447221f
2024-03-27 10:45:46 +00:00
155ac20303
[Rule Tuning] Scheduled Task Activity via pwsh ( #3534 )
...
(cherry picked from commit 760b99bcc1
2024-03-26 13:52:17 +00:00
9fa3292200
[New] Suspicious JetBrains TeamCity Child Process ( #3532 )
...
* [New] Suspicious JetBrains TeamCity Child Process
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
(cherry picked from commit fc76a8bcb5
2024-03-25 16:39:58 +00:00
149c78b390
Update sort parameter ( #3531 )
...
(cherry picked from commit 3503786154
2024-03-25 15:53:27 +00:00
981702698c
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3526 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit eaf4658620
2024-03-21 15:08:44 +00:00
ba1158808f
[Bug] Update lock versions dependencies ( #3525 )
...
(cherry picked from commit fc7cc2c06a
2024-03-21 13:43:07 +00:00
7f3799319d
[New Rules] Veeam Credential Access DRs ( #3516 )
...
* [New Rules] Veeam Credential Access DRs
* bump
* Update credential_access_veeam_commands.toml
* Update credential_access_veeam_backup_dll_imageload.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update credential_access_veeam_commands.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 779fa7710d
2024-03-21 13:08:44 +00:00
ce984b8531
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
...
(cherry picked from commit a6028b43b3
2024-03-21 12:55:46 +00:00
b06b730213
Update README.md ( #3524 )
...
(cherry picked from commit e37bc6f781
2024-03-20 18:39:33 +00:00
32ed8f141d
[Rule Tuning] SMTP on Port 26/TCP ( #3521 )
...
(cherry picked from commit 07abc19932
2024-03-19 21:02:22 +00:00
f66da9d350
[FR] Update Python Dependency Versions ( #3515 )
...
(cherry picked from commit 5c3523954e
2024-03-19 19:14:23 +00:00
b19541f0f8
[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' ( #3494 )
...
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'
* reverting lookback window
* missing word in description
(cherry picked from commit f6e79944f2
2024-03-15 23:16:44 +00:00
3354460843
[FR] Independently package kql / kibana and bump to py3.12 ( #3514 )
...
(cherry picked from commit d26981f712
2024-03-15 01:25:26 +00:00
f1542e6ef5
[FR] Add support for dataviews in the rule schema ( #3510 )
...
(cherry picked from commit 8724077a0e
2024-03-14 22:48:17 +00:00
18a34a15ff
[Rule Tuning] Guided Onboarding Rule ( #3502 )
...
* [Rule Tuning] Guided Onboarding Rule
* Update guided_onboarding_sample_rule.toml
* Revert "Update guided_onboarding_sample_rule.toml"
This reverts commit 18721277df7416534440a4708fa3b060f2775a27.
* Update guided_onboarding_sample_rule.toml
* Update guided_onboarding_sample_rule.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit c610e19114
2024-03-14 14:04:20 +00:00
9f234eecc7
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
(cherry picked from commit 4179180fcb
2024-03-13 21:17:57 +00:00
Samirbous